Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2002
    Location
    Florida
    Posts
    60
    Rep Power
    13

    Question need help with spilt dns setup


    I read another post in this forum related to my question but it didn't help much. We have a local network with about 25 pc's with a mixture of *nix, apple, and windows. A RedHat 7.2 machine is the fileserver, ftp, web, mysql, and telnet server. DNS & mail is provided through the ISP. All internet and other functions work fine. There is a firewall in front of all the machines that provides security and NAT to all the machines. Now the problem is the RedHat machine has an internal ip address that is forwarded to it from the firewall. I can call up a webpage or any other function for that matter by the domain name outside of the network, but internally an internal ip address has to be issued in order to access anything from the server? I read that the spilt dns would be the best idea for my situation. I've got no idea really where to start besides installing bind 9 which i've done already.
    sreese@prcdigital.com
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    190
    i donīt think you need complicated stuff like that.
    just setup a default route on your workstations pointing to your gateway (RH-machine) and then they should connect to your ispīs nameserver.
    maybe you need to setup your RH-machine to act as nat-router too... then the firewall will think all requests come from it instead of from the workstations.

    hope this helps....
  4. #3
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2002
    Location
    Florida
    Posts
    60
    Rep Power
    13
    The RH machine is just providing filesharing, webserving, ssh access, and ftp. The nat is provided through a seperate hardware based firewall/router. So the client machines all use internal ip information.
    sreese@prcdigital.com
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    190
    do they have the firewall as their default gateway then?
  8. #5
  9. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2002
    Location
    Florida
    Posts
    60
    Rep Power
    13
    yes they do, the internel machines have ip's that span through 192.168.0.X, the server is 192.168.0.2, and the firewall is is 192.168.0.1!
    sreese@prcdigital.com
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    190
    i just read your first post again, maybe i misunderstood you.

    do you want the dns server to give a different IPs depending on if it was connected from internal network or outside?

    then i think you better setup a local domain for this. like make a dns server having one local zone ("mydomain.local") and have it forward everything else to the īnet. then your server is accessible by "www.mydomain.local" as well as "www.mydomain.com".

    could this help you?
  12. #7
  13. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2002
    Location
    Florida
    Posts
    60
    Rep Power
    13
    So far a split DNS setup seems to be the way to go. By the end of this weekend it should be completed and since I know their are several other's that i've mailed me i'll post the setup that works succesfully for me. Basically our server is going to be the primary record holder and our ISP is going to be the secondary.
    sreese@prcdigital.com
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> but internally an internal ip address has to be issued in order to access anything from the server?

    You can use /etc/hosts file or run an authoritative DNS server for your LAN.

    >> I read that the spilt dns would be the best idea

    Like I said, you can use /etc/hosts file. You'd need split horizon DNS setup only if your LAN domain is the same as your external domain.
    In some situations where you need to run qmail on LAN, then you must setup split horizon, because qmail NEVER read /etc/hosts file, but most services do.
  16. #9
  17. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2002
    Location
    Florida
    Posts
    60
    Rep Power
    13
    Thanks freebsd, I do agree that entries in the /etc/hosts file would work for the machines on the internel network. As you stated though the domain is the same as the domain name, which right now makes browsing the website impossible unless using the internel server network ip address.


    ? freebsd, how would I make hosts entries in a zone file for machines that use dhcp from the firewall/router?
    Last edited by neotrace; March 23rd, 2002 at 07:45 PM.
    sreese@prcdigital.com
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> for machines that use dhcp from the firewall/router?

    Don't use dhcp if you run any servers. Anyway, if you need to know more about split horizon setup, and would like to ditch BIND (world most insecure software) and give djbdns a try, do a search here with the search keyword: localdns
  20. #11
  21. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2002
    Location
    Florida
    Posts
    60
    Rep Power
    13
    Alright well thanks for the help freebsd, i've already installed and configure bind, so i'm going to try that first.
    sreese@prcdigital.com
  22. #12
  23. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2002
    Location
    Florida
    Posts
    60
    Rep Power
    13
    Would someone check out these conf files and make sure i'm going about everything right. I've already created my ns1.prcdigital.com name. Please remember that the ISP is going to remain the secondary name server while we our going to be the primary.
    Last edited by neotrace; April 15th, 2002 at 12:02 AM.
    sreese@prcdigital.com
  24. #13
  25. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    Just checked your prcdigital.com.zone file and that's not the way to setup split horizon in BIND.
    1) You need to delegate prcdigital.com to prcserver.prcdigital.com for LAN, don't use ns1.prcdigital.com for that.
    2) Don't use shortcut in your zone records if at all possible. It doesn't help the readibilty but make it worse.
    3) Set your 2nd NS to NS1.DELTACOM.NET, not its IP.
    4) Most important: There no longer is such thing as CNAME, so just use multiple A records instead.

    >> while we our going to be the primary

    I don't think deltacom.net lets you do that.
  26. #14
  27. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> I got rid of the "shortcuts" meaning comments?

    Not that and your new file is still using shortcuts.

    So what's shortcuts?
    Code:
    @	IN	NS	ns1.prcdigital.com.
    and
    Code:
    ns1		IN	A	66.35.133.90
    What's not?
    Code:
    ns1.prcdigital.com.		IN	A	66.35.133.90
    It's extremely ugly for readibility and you can make syntax errors easily when combining shortcuts and without shortcuts, like yours.

    >> the CNAME is gone also

    But your new A records are illegal.
    Code:
    www.prcdigital.com.	IN	A	prcserver.prcdigital.com.
    ftp.prcdigital.com.	IN	A	prcserver.prcdigital.com.
    mail.prcdigital.com.	IN	A	mail.deltacom.net.
    A record means address record. Address means IP or something to do with numbers but yours is using hostname all the way, which can't be A record in the first place.

    When setting split horizon in BIND, you first need to run authoritative DNS for your LAN. That is, do not use public IP addr anywhere in your zone records or named.conf. Yes, it's the same domain - prcdigital.com.

    >> I don't understand "You need to delegate prcdigital.com

    You need to invent another local name or use prcserver, not ns1. Then you can run TWO authoritative DNS servers, one for external and one for LAN. And of course, setup your external as the forwarder of your internal so when you can't query an answer internally it will ask the external one.

    Sorry I wish I can explain it in more details but I chose not to on purpose just because you don't seem to understand the basics of DNS/BIND and trying to get everything right in one go and in no time, which is a bad learning attitude.

    Lastly, what you should do now is to forget about ns1 entirely, just run authoritative DNS for LAN only.
  28. #15
  29. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2002
    Location
    Florida
    Posts
    60
    Rep Power
    13

    startup ?


    Everything seems in place now when viewing the log I question:

    "Mar 28 15:15:20 prcdigital named[13779]: none:0: open: /etc/rndc.key: file not found
    Mar 28 15:15:20 prcdigital named[13779]: couldn't add command channel 127.0.0.1#953: file not found"

    What are these?


    The following is the orginal log entry:
    Mar 28 15:15:20 prcdigital named[13779]: starting BIND 9.2.0
    Mar 28 15:15:20 prcdigital named[13779]: using 1 CPU
    Mar 28 15:15:20 prcdigital named[13779]: loading configuration from '/etc/named.conf'
    Mar 28 15:15:20 prcdigital named[13779]: no IPv6 interfaces found
    Mar 28 15:15:20 prcdigital named[13779]: listening on IPv4 interface lo, 127.0.0.1#53
    Mar 28 15:15:20 prcdigital named[13779]: binding TCP socket: address in use
    Mar 28 15:15:20 prcdigital named[13779]: listening on IPv4 interface eth0, 192.168.0.2#53
    Mar 28 15:15:20 prcdigital named[13779]: binding TCP socket: address in use
    Mar 28 15:15:20 prcdigital named[13779]: none:0: open: /etc/rndc.key: file not found
    Mar 28 15:15:20 prcdigital named[13779]: couldn't add command channel 127.0.0.1#953: file not found
    Mar 28 15:15:20 prcdigital named[13779]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1
    Mar 28 15:15:20 prcdigital named[13779]: zone 0.168.192.in-addr.arpa/IN: loaded serial 2
    Mar 28 15:15:20 prcdigital named[13779]: zone prcdigital.com/IN: loaded serial 2
    Mar 28 15:15:20 prcdigital named[13779]: running
    Mar 28 15:15:20 prcdigital named[13779]: zone prcdigital.com/IN: sending notifies (serial 2)

    Here's the configuration file:
    options {
    directory "/var/named/";
    pid-file "/var/run/named/named.pid";
    query-source address * port 53;
    };

    zone "." { type hint; file "root.hints"; };

    zone "0.0.127.in-addr.arpa" {
    type master;
    file "0.0.127.in-addr.arpa.zone";
    notify no;
    };

    zone "0.168.192.in-addr.arpa" {
    type master;
    file "0.168.192.in-addr.arpa.zone";
    notify no;
    };

    zone "prcdigital.com" {
    type master;
    file "prcdigital.com.zone";
    };
    Last edited by neotrace; March 28th, 2002 at 03:01 PM.
    sreese@prcdigital.com
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo